Title: Coming up: Vote verification talk by Alan Sherman (UMBC)
1- Coming up Vote verification talk by Alan
Sherman (UMBC)
2A Study of Vote Verification Technologies
- Alan T. Sherman
- Dept. of CSEE
- University of Maryland, Baltimore County (UMBC)
- May 3, 2006
3Joint work with
- Don Norris, Dept. of Public Policy, MIPAR
- John Pinkston, Dept. of CSEE
- A. Gangopadhyay, S. Holden, G. Karabatis, A.G.
Koru, - C. Law, A. Sears, D. Zhang
- Dept. of Information Systems
- National Center for the Study of Elections
- of the Maryland Institute for
- Policy Analysis and Research (MIPAR)
4Diebold AccuvoteTSTouch Screen Direct Recording
Equipment (DRE)
5How well do verifiers enable voters to check
their votes are
- cast as intended
- recorded as cast
- tallied as recorded ?
6Overview
- Evaluated 4 vote verification products
- Diebold paper trail (VVPAT)
- MIT-Selker audio system
- Scytl Pnyx.DRE software system
- VoteHere Sentinel (cryptographic receipts)
- For Maryland State Board of Elections
- Analysis in context of real elections
- Interdisciplinary studyfirst of its kind
7Outline
- Background and motivation
- Voting in Maryland
- Related work
- Genesis of UMBC study
- Verification Systems
- Study systems, evaluation criteria
- Analysis
- Maryland Procedures
- Discussion, conclusions, open problems
8Background and Motivation
9Background
- Following 2000 fiasco in FL, MD moved to DREs and
centralized management - Began purchasing Diebold DREs in 2001
- DREs improved accuracy and efficiency
- No irregularities have been detected, but...
10DREs Improve Accessibility
- Visually-impaired voters can use
headsets, large fonts, or both - So can anyone else too
11Can DREs Be Trusted?
- Malicious code
- Subversion of system (hardware, software, OS)
- Faulty design, implementation
- Key management
- Configuration
- Data handling
- Physical storage and security
- Play Baxter Movie
12Voting in Maryland
- 20,000 DREs (100 by fall 2006)
- 23 counties Baltimore City
- Dual system of state and local control
- 3.1 million registered voters
- (5.6 million residents)
- 96 million on Diebold system by FY 2007
- (2.82 / resident / year over 6 years)
- Financially committed to Diebold through 2012
13What Is Special About Voting?
- Critical national infrastructure
- Everyone must be able to vote
- Elderly, infirm, disabled (blind, deaf)
- Below average IQ
- Happens infrequently
- Voters must have confidence in outcome
- Conform to state and federal law
14Genesis of Study
- MD General Assembly (GA)
- considered move toward paper trail (2005)
- GA mandated study (2005)
- Governor Ehrlich vetoed study
- State Board of Elections commissioned study
(August 2005)
15Study Question
- How well do various vote verification products
work? - NOT
- What voting system should MD use?
- Is the Diebold System secure?
16Options for Maryland
- Keep Diebold, with parallel testing continue
monitoring technology - Add verification system to Diebold
- Change to different system
- Precinct-count optical scan (e.g., Automark,
Populex) - Receipt-based system (e.g., VoteHere,
Punchscan) - Discussing third option is outside study scope
17Related Work
- Usability study (Herrnson, et al., 2006)
- www.capc.umd.edu
- Survey of MD voters (Norris, 2006)
- www.umbc.edu/mipar
18Diebold GEMS Server
- Dedicated workstation at each LBE Accumulates
DRE votes Generates reports
19Diebold GEMS Server
- Dedicated workstation at each LBE Accumulates
DRE votes Generates reports - All tallies checked by hand from printouts from
each DRE of DRE totals
20Verification Systems
21Benefits of Verification
- Increased assurance via independent system
- Adversary must corrupt two systems
- Separate tally and audit log
22Challenges to Verification
- Adds complexity (increases cost, chance of
disruption, opportunity for privacy loss) - Lack of standard interfaces
- Requires modification of Diebold software
- Is true system independence possible?
23Study Systems
- Diebold VVPAT
- MIT-Selker audio system
- Scytl Pnyx.DRE
- VoteHere Sentinel
- Democracy Systems VoteGuard
- Avante
- IP.Com
- Parallel testing of DREs
24Study Systems
- Diebold VVPAT
- MIT-Selker audio system
- Scytl Pnyx.DRE
- VoteHere Sentinel
- Democracy Systems VoteGuard
- Avante
- IP.Com
- Parallel testing of DREs
25Math Challengeon Parallel Testing
- Given that B of the N DREs are bad, what is
- the chance of selecting at least one bad
- DRE in a random sample of k DREs?
-
- Solution later
26Evaluation Criteria
- Reliability
- Functional completeness
- Accessibility
- Data management
- Election integrity, voter privacy
- Implementation / integration with DRE
- Impact on voters and procedures
27Security Criteria
- Election integrity
- Ballots cast as intended
- Ballots recorded as cast
- Ballots tallied as recorded
- Voter privacy
- Resistance to disruption
28Study Methods
- Met with vendor
- Examined product in UMBC lab
- Assigned numerical score for each criterion
(1-low, 5-high) - Wrote narrative
- We did not weight the scores to yield an overall
score or product recommendation
29Diebold VVPAT pros
- Prints votes on paper roll
- Relatively simple and intuitive
- Produces physical record
30Diebold VVPAT cons
- Can LBEs store paper rolls securely?
- Voter cannot verify what rolls used in recount
- Paper roll records order of votes cast
- Barcodes cannot be trusted
- Lacks vendor independence
- Printer jams easily
- Blind cannot verify paper record, only audio
output - Costly (1,500 / add-on unit)
31MIT-Selker Audio System pros
- Records votes on audio tape
- Easier to catch mistakes
- Relatively simple
- Produces physical record
- Relatively simple integration
- No software required
- Inexpensive (100 / unit)
32MIT-Selker Audio System cons
- Can LBEs store tapes securely?
- Voters cannot verify what tapes are used in
recount - Tape records order of votes cast
- Deaf cannot use
- Recount is labor intensive
- Vendor lacks business plan
- Needs reliable storage of magnetic media
33Scytl Pnyx.DRE pros
- Echoes ballot choices on confirmation screen
- Stores electronic copy of vote
- Well engineered
- Has been used outside USA
- Two-way handshake with DRE
34Scytl Pnyx.DRE cons
- Must trust software to store displayed vote
- Can cause DRE to fail and vice-versa (via two-way
handshake) - More complicated integration with DRE
- Not all functionality implemented
- 500 / unit
35VoteHere Sentinel pros
- Outstanding election integrity voter can verify
vote is recorded in official data as cast, and
that tally is computed correctly from official
data - Integrity based on cryptography, not computer
security - Open source, high quality software
- Disabled voters can enjoy same level of integrity
36VoteHere Sentinel cons
- Application software missing (only reference
library exists) - More complicated voter experience, conceptual
model, election officials must maintain web site - Most voters will not understand the cryptography
- No attempt to maintain consistency between DRE
and Sentinel - 500 / unit
37Parallel Testing
- Attempts to detect widespread corruption of DREs
- Tests randomly-selected DREs on election day in
simulated election - Limitations
- Can adversary signal selected DREs?
- Number and choice of DREs for testing
38Probability of Selecting Bad DRE
39Probability of Selecting Bad DRE
40Summary Scores
41Maryland Procedures
42Installing DRE Software
- SBE technicians install OS and application
software on all DREs (critical process) - Diebold object code from Independent Testing
Agency (ITA) - Cryptographic hash check performed on trusted SBE
machine - DREs stored at LBEs
43Voter Authority Cards
- Physical card at precinct for each voter
- Records DRE used by voter
- Poll workers may not ask for photo ID (only
utility bill)
44Discussion, Conclusions, Open Problems
45Modifying Diebold Software
- Needed for verification systems
- Requires Diebold cooperation
- Diebold not commercially motivated
- Who pays?
- Must pass ITA after any change
46Why Are Products Not Better?
- Relatively small market
- Lack of clear performance standards
- Multitude of state and local styles for ballots
and reports - Security (and accessibility) is afterthought
- Emerging technologies
- Funding technologies for the social good
47Vendors Should Provide
- Product description
- Functional specifications
- Testable reference implementation
- Performance data from mock election
- Documentation
48Open Problems
- Standard interfaces for verifiers
- Adversarial data consistency problem
- Develop/improve receipt-based systems (e.g.
Punchscan David Chaum) - Performance ratings guidelines
49Adversarial Data Consistency Problem
- (DRE and verifier honest) ? tallies agree
- Minimize disruption by one dishonest unit
- Ex Voter aborts in middle of process
50Adversarial Data Consistency Problem
- Two-way communication
- enables either unit to cause disruption
- facilitates collusion among two dishonest units
51Call for National Cooperation
- National standards (beyond HAVA 2002)
- Standard interfaces
- Performance ratings guidelines
- Standard configurations (ballot styles, report
formats) - Joint funding for RD
52Other Voting Issues
- Encouraging people to vote
- Registration
- Absentee / provisional ballots
- Accessibility
- Mathematics of voting (e.g., Borda Count)
- Internet voting
53MD House Bill-244
- Mandates voter verified paper record (not
paper roll) - Paper record is official record
- House approved 137-0
- Governor now supports
- Senate killed by not voting
- Costs 24-50 million
54Questions / Discussion
55Acknowledgments
- VoteHere model diagram from VoteHere
- VoteHere voter experience diagram by Kevin Fisher
- Photos from Google Images
56Rivest-Sherman Ciphertext-Only Attacks on Enigma
- Tomorrow (Friday)
- 1030am
- same location
57Extra slides
58VoteHere Model
59(No Transcript)
60Understanding Politics
- Gov. Ehrlich stole democratic issue
- Wants to be able to question outcome of next
election (?) - Heavy lobbying by TrueVoteMD
Linda Lamone (D)
Governor Ehrlich (R)
61Summary Security Privacy Scores
62Diebold AccuvoteTS
Voter Authority
tally
Precinct Official
tally
Key, Configuration
63VoteHere Model